{ "type": "Domain", "indicator": "techzenspace.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/techzenspace.com", "alexa": "http://www.alexa.com/siteinfo/techzenspace.com", "indicator": "techzenspace.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2691992300, "indicator": "techzenspace.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "620ce6762c243df4fb194d83", "name": "Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months", "description": "FortiGuard Labs has identified a campaign operated by Moses Staff, a geo-political motivated threat group believed to be sponsored by the Iranian government. After tracking this campaign for the last several months FortiGuard Labs found that the group has been using a custom multi-component toolset for the purpose of conducting espionage against its victims.\nThis campaign exclusively targets Israeli organizations. Close examination reveals that the group has been active for over a year, much earlier than the group\u2019s first official public exposure, managing to stay under the radar with an extremely low detection rate.\nFortiGuard Labs covers the Techniques, Tactics, and Procedures (TTPs) used by Moses Staff and reveal a new backdoor used by them to download files, execute payloads, and exfiltrate data from target networks, along with threat intelligence data on their activities.", "modified": "2022-03-18T00:04:44.902000", "created": "2022-02-16T11:56:38.241000", "tags": [ "Moses Staff", "TTPs", "ProxyShell", "DriveGuard" ], "references": [ "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "public": 1, "adversary": "Moses Staff", "targeted_countries": [ "Israel" ], "malware_families": [ { "id": "DriveGuard", "display_name": "DriveGuard", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 308, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 377535, "modified_text": "1493 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f6c635cb8c3c8b256b6dba", "name": "sdfzsdf.ele fac1ec40eea5a4fc05f17e019328e287", "description": "SHA1- 33008f85428a83996083c3da92a8f00595071403\nSHA256\ncdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf\nhttps://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=7b6726e20c513baebf7fd387a3dd1b7d67a4c7c4\nhttps://ti.qianxin.com/v2/search?type=file&value=fac1ec40eea5a4fc05f17e019328e287\nhttps://www.virustotal.com/gui/file/cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf/relations", "modified": "2025-09-01T08:05:17.675000", "created": "2025-04-09T19:10:45.337000", "tags": [ "sha1", "rozmiar", "typ pliku", "win32", "numer wersji", "wersja", "nieznany", "sha512", "crc32", "ssd gboki", "win64", "security", "license v2", "f6 d9", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "babylockerkz", "new service", "creation id", "nextron" ], "references": [ "Windows_Trojan_Tofsee.yar", "Suspicious New Service Creation (1).yml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 353, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 1077, "domain": 282, "hostname": 316, "URL": 1092, "YARA": 535, "email": 4 }, "indicator_count": 3361, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674afb83c67ff4443e9f953a", "name": "PolymodXT.exe", "description": "", "modified": "2025-05-14T21:18:19.590000", "created": "2024-11-30T11:48:19.052000", "tags": [ "file", "flagi", "process sha256", "process disc", "pathway z", "identyfikator", "zawiera moliwo", "klucz", "zawiera", "wybierz", "nie mona", "przechowywanie", "haso", "obiekt", "cig uid", "zilla", "enumerate", "defender", "pragma", "security", "license v2", "ff ff", "fc e8", "f8 ff", "fc ff", "c9 c3", "e4 f8", "cc cc", "fc eb", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "windows nt", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 528, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 414, "FileHash-SHA1": 410, "FileHash-SHA256": 1940, "URL": 171, "hostname": 56, "domain": 134, "YARA": 759, "email": 4 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb982432751ed32fd0404b", "name": "Svchost id: 16c37b52-b141-42a5-a3ea-bbe098444397", "description": "The following rules for the Windows.Trojan.Tofsee malware have been revealed by the BBC's Panorama programme and are subject to a review by BBC Newsnight and BBC Radio 5 live.", "modified": "2025-05-14T21:10:44.900000", "created": "2025-03-08T01:06:44.421000", "tags": [ "vhash", "authentihash", "ssdeep", "rticon serbian", "arabic libya", "ico rtgroupicon", "serbian arabic", "libya", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "security", "license v2", "f6 d9", "sha256", "imphasz", "externalnet", "homenet", "unreachable", "imageendswith", "example", "imagestartswith", "files", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "code integrity", "checks id", "detects code", "thomas patzke", "filessophos", "outbound smtp", "connections id", "smtp", "david burkett", "signalblur", "commandline", "svchost parent", "process id", "roth", "nextron", "service binary", "system", "automatic", "manual", "filter fp", "avast software", "new service", "creation id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 168, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 28, "FileHash-SHA256": 1065, "URL": 984, "YARA": 535, "domain": 262, "email": 4, "hostname": 316 }, "indicator_count": 3233, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62159a5bce5fa56252e11c82", "name": "Moses Staff\u9ed1\u5ba2\u7ec4\u7ec7\u6301\u7eed\u6570\u6708\u5bf9\u4ee5\u8272\u5217\u591a\u4e2a\u884c\u4e1a\u7ec4\u7ec7\u8fdb\u884c\u653b\u51fb", "description": "\u8fd1\u65e5\uff0cFortiEDR\u53d1\u73b0\u4e86\u4e00\u8d77\u7531 Moses Staff \u9ed1\u5ba2\u7ec4\u7ec7\u53d1\u8d77\u7684\u653b\u51fb\uff0c\u8fd9\u573a\u653b\u51fb\u4e13\u95e8\u9488\u5bf9\u4ee5\u8272\u5217\u7684\u591a\u4e2a\u884c\u4e1a\u7ec4\u7ec7\u3002\u7ecf\u8c03\u67e5\uff0c\u8be5\u7ec4\u7ec7\u5df2\u7ecf\u6d3b\u8dc3\u4e86\u4e00\u5e74\u591a\uff0c\u5728\u672c\u6b21\u653b\u51fb\u4e2d\uff0c\u8be5\u7ec4\u7ec7\u901a\u8fc7\u4f7f\u7528\u7684\u4e00\u4e2a\u65b0\u7684\u540e\u95e8\uff0c\u7528\u4e8e\u4e0b\u8f7d\u6587\u4ef6\u3001\u6267\u884c\u6709\u6548\u8f7d\u8377\u3001\u4ece\u76ee\u6807\u7f51\u7edc\u4e2d\u7a83\u53d6\u6570\u636e\u3002", "modified": "2022-05-12T00:04:24.089000", "created": "2022-02-23T02:22:18.992000", "tags": [ "formbook", "phishing", "staff", "moses staff", "fortiedr", "cybersecurity architect", "threat research", "fortiguard labs", "figure", "loadlibrary", "export", "fortinet", "driveguard", "download", "alliance", "february", "impact", "capture", "virustotal", "april", "HotSpot" ], "references": [ "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "public": 1, "adversary": "Staff", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sd123456", "id": "172789", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "1438 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "622f0681912e362bb24b2888", "name": "E-Commerce Sector Cyber Threat Intel - Key Insights (February 2022)", "description": "In February, a security incident at Hong Kong\u2019s largest online shopping platform (HKTVMall) led to the unauthorized access of customer information. The affected information included delivery addresses, recipient names, and contact numbers of 4.38 million customers.\n\nOther Major Incidents\nFew e-commerce store clients reported an antivirus warning appearing on the checkout page. Moses Staff threat group was linked with multiple espionage and sabotage attacks on Israeli entities. The group had used StrifeWater RAT that masqueraded as the Windows Calculator. A security breach affected the e-commerce website melijoe[.]com, owned by Melijoe. A security bypass vulnerability (CVE-2022-25355) was identified in EC-CUBE that could allow a malicious user to bypass the authentication mechanism and obtain access to the exposed system.", "modified": "2022-04-13T00:01:48.292000", "created": "2022-03-14T09:10:25.831000", "tags": [ "staff urls", "ip address", "sha1", "file name", "E-Commerce Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "domain": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "1467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622b43c2a26db71efff7902f", "name": "Manufacturing Sector Cyber Threat Intel - Key Insights (February 2022)", "description": "In February, the Chinese APT actor Antlion was using a custom backdoor xPack against financial and manufacturing organizations. The malware was used in a campaign against targets in Taiwan. The attack spanned for more than 18 months and allowed the attackers to run stealthy cyber-espionage operations.\n\nOther Major Incidents\nMoses Staff group was tied to multiple waves of espionage/sabotage attacks using StrifeWater RAT. The Conti group had targeted the Hula Hoops, KP Nuts, Butterkist popcorn, and Nik Naks firms. The U.S. CISA warned regarding multiple vulnerabilities in the Airspan Networks Mimosa equipment. Toyota Motor stopped operations after a major supplier was hit by a cyberattack. Bridgestone's La Vergne plant had faced possible cyber attack.", "modified": "2022-04-10T00:02:49.890000", "created": "2022-03-11T12:42:41.999000", "tags": [ "staff urls", "ip address", "sha1", "file name", "xpack backdoor", "sha256", "Manufacturing Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 6, "FileHash-SHA256": 15, "domain": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 194, "modified_text": "1470 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6229baccf180e78b1798e87a", "name": "Energy and Power Sector Cyber Threat Intel - Key Insights (February 2022)", "description": "In February, a politically motivated threat group, dubbed Moses Staff, was tied to multiple waves of espionage and sabotage attacks. The attacks were aimed at Israeli entities including the Energy sector and made use of StrifeWater RAT masquerading as the Windows Calculator app to stay under the radar.\n\nOther Major Incidents\nThe BlackCat ransomware had targeted the Oiltanking GmbH Group. Major oil terminals in Western Europe's biggest ports became victims of cyberattacks. The FBI warned organizations against the malicious activities of Emennet Pasargad. Three new threat groups Kostovite, Petrovite, and Erythrite were found targeting the industrial sector. TiltedTemple camping was found exploiting CVE-2021-40539 and CVE-2021-44077 flaws in cyberattacks aimed at the energy sector. The campaign was using a backdoor named SockDetour.", "modified": "2022-04-09T00:00:32.009000", "created": "2022-03-10T08:46:04.918000", "tags": [ "public key", "staff urls", "ip address", "sha1", "file name", "sockdetour pe", "sockdetour", "embedded", "socketdetour", "Energy and Power Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 11, "domain": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 194, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6229bcb0b46217027464d2fc", "name": "Transportation Sector Cyber Threat Intel - Key Insights (February 2022)", "description": "In February, the logistics and freight forwarding firm Expeditors International was affected by a cyber incident that paralyzed most of its operations around the world. After discovering the attack, the firm did not provide any further details about the attack and declared to have launched an investigation.\n\nOther Major Incidents\nMedusa trojan was spreading via the SMiShing service known as Cabassous and was found masquerading as a DHL shipping firm. An unauthenticated API call flaw was discovered in DPD Group\u2019s package tracking system. Swissport disclosed a ransomware attack on its IT systems. The FBI warned organizations against the malicious activities of Emennet Pasargad. The Moses Staff group was tied to multiple waves of espionage and sabotage attacks using StrifeWater RAT.", "modified": "2022-04-09T00:00:32.009000", "created": "2022-03-10T08:54:08.165000", "tags": [ "vhash", "ssdeep", "staff urls", "ip address", "sha1", "file name", "Transportation Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 1, "hostname": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6218cb8dd18c8d8f7cbd43b9", "name": "Moses Staff Hacker Group Exclusively Targets Israeli Organizations with StrifeWater Backdoor", "description": "As part of a new cyber campaign, the politically motivated Moses Staff hacker group is using a custom multi-component toolset to exclusively target Israeli organizations. Moses Staff is believed to be sponsored by the Iranian government.\n\nAttack path\nThe latest campaign involves an attack path that leverages the ProxyShell vulnerability in Microsoft Exchange servers as an initial infection vector to deploy two web shells. It is followed by exfiltrating Outlook Data Files (.PST) from the compromised server. Subsequently, it attempts to steal credentials by dumping the memory contents of a critical Windows process, before dropping and loading the \"StrifeWater\" backdoor (broker.exe).", "modified": "2022-03-27T00:00:39.057000", "created": "2022-02-25T12:29:01.773000", "tags": [ "iocs file", "sha256", "file", "event", "event program", "domains", "urls http", "Moses Staff" ], "references": [ "fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "1484 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61fbac11483ce8f3081c1a7c", "name": "Iranian APT Adds StrifeWater RAT to Ransomware", "description": "This RAT is capable of remove itself from the system to cover the Iranian APT tracks, together with the capabilities of command execution and screen capturing, as well as download additional extensions.", "modified": "2022-03-05T00:01:03.599000", "created": "2022-02-03T10:18:57.288000", "tags": [], "references": [ "https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 257, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 256, "modified_text": "1506 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61fa383195cad043b845dcf6", "name": "StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations", "description": "", "modified": "2022-03-04T00:00:56.902000", "created": "2022-02-02T07:52:17.547000", "tags": [], "references": [ "https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 850, "modified_text": "1507 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61fa3ac08d8b51cacec805ff", "name": "StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations", "description": "The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group\u2019s tracks. The RAT possesses other capabilities, such as command execution and screen capturing, as well as the ability to download additional extensions.", "modified": "2022-03-04T00:00:56.902000", "created": "2022-02-02T08:03:12.093000", "tags": [ "moses staff", "strifewater rat", "pydcrypt", "staff", "team", "strifewater", "iran", "cybereason xdr", "israel", "italy", "download", "energy", "trojan", "ransomware", "hello", "persistence", "cyber" ], "references": [ "https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Yukokuri", "id": "178918", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "URL": 1, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "1507 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61dbe25f3751644865dd2398", "name": "NewDom-5-20220110", "description": "ICANN-Dom", "modified": "2022-02-24T00:00:20.162000", "created": "2022-01-10T07:38:07.597000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 204, "modified_text": "1515 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://www.jelenia-gora.sr.gov.pl/spacer", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://waf.intelix.pl/957476/Chat/Script/Compatibility", "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "fortinet.com/blog/threat-research/guard-your-drive-from-driveguard", "Suspicious New Service Creation (1).yml", "https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations", "Windows_Trojan_Tofsee.yar" ], "related": { "alienvault": { "adversary": [ "Moses Staff" ], "malware_families": [ "Driveguard" ], "industries": [] }, "other": { "adversary": [ "Informational", "Malware Advisory", "Staff" ], "malware_families": [ "", "Phishing", "Formbook", "Serwer" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "620ce6762c243df4fb194d83", "name": "Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months", "description": "FortiGuard Labs has identified a campaign operated by Moses Staff, a geo-political motivated threat group believed to be sponsored by the Iranian government. After tracking this campaign for the last several months FortiGuard Labs found that the group has been using a custom multi-component toolset for the purpose of conducting espionage against its victims.\nThis campaign exclusively targets Israeli organizations. Close examination reveals that the group has been active for over a year, much earlier than the group\u2019s first official public exposure, managing to stay under the radar with an extremely low detection rate.\nFortiGuard Labs covers the Techniques, Tactics, and Procedures (TTPs) used by Moses Staff and reveal a new backdoor used by them to download files, execute payloads, and exfiltrate data from target networks, along with threat intelligence data on their activities.", "modified": "2022-03-18T00:04:44.902000", "created": "2022-02-16T11:56:38.241000", "tags": [ "Moses Staff", "TTPs", "ProxyShell", "DriveGuard" ], "references": [ "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "public": 1, "adversary": "Moses Staff", "targeted_countries": [ "Israel" ], "malware_families": [ { "id": "DriveGuard", "display_name": "DriveGuard", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 308, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 377535, "modified_text": "1493 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f6c635cb8c3c8b256b6dba", "name": "sdfzsdf.ele fac1ec40eea5a4fc05f17e019328e287", "description": "SHA1- 33008f85428a83996083c3da92a8f00595071403\nSHA256\ncdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf\nhttps://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=7b6726e20c513baebf7fd387a3dd1b7d67a4c7c4\nhttps://ti.qianxin.com/v2/search?type=file&value=fac1ec40eea5a4fc05f17e019328e287\nhttps://www.virustotal.com/gui/file/cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf/relations", "modified": "2025-09-01T08:05:17.675000", "created": "2025-04-09T19:10:45.337000", "tags": [ "sha1", "rozmiar", "typ pliku", "win32", "numer wersji", "wersja", "nieznany", "sha512", "crc32", "ssd gboki", "win64", "security", "license v2", "f6 d9", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "babylockerkz", "new service", "creation id", "nextron" ], "references": [ "Windows_Trojan_Tofsee.yar", "Suspicious New Service Creation (1).yml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 353, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 1077, "domain": 282, "hostname": 316, "URL": 1092, "YARA": 535, "email": 4 }, "indicator_count": 3361, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674afb83c67ff4443e9f953a", "name": "PolymodXT.exe", "description": "", "modified": "2025-05-14T21:18:19.590000", "created": "2024-11-30T11:48:19.052000", "tags": [ "file", "flagi", "process sha256", "process disc", "pathway z", "identyfikator", "zawiera moliwo", "klucz", "zawiera", "wybierz", "nie mona", "przechowywanie", "haso", "obiekt", "cig uid", "zilla", "enumerate", "defender", "pragma", "security", "license v2", "ff ff", "fc e8", "f8 ff", "fc ff", "c9 c3", "e4 f8", "cc cc", "fc eb", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "windows nt", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 528, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 414, "FileHash-SHA1": 410, "FileHash-SHA256": 1940, "URL": 171, "hostname": 56, "domain": 134, "YARA": 759, "email": 4 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb982432751ed32fd0404b", "name": "Svchost id: 16c37b52-b141-42a5-a3ea-bbe098444397", "description": "The following rules for the Windows.Trojan.Tofsee malware have been revealed by the BBC's Panorama programme and are subject to a review by BBC Newsnight and BBC Radio 5 live.", "modified": "2025-05-14T21:10:44.900000", "created": "2025-03-08T01:06:44.421000", "tags": [ "vhash", "authentihash", "ssdeep", "rticon serbian", "arabic libya", "ico rtgroupicon", "serbian arabic", "libya", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "security", "license v2", "f6 d9", "sha256", "imphasz", "externalnet", "homenet", "unreachable", "imageendswith", "example", "imagestartswith", "files", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "code integrity", "checks id", "detects code", "thomas patzke", "filessophos", "outbound smtp", "connections id", "smtp", "david burkett", "signalblur", "commandline", "svchost parent", "process id", "roth", "nextron", "service binary", "system", "automatic", "manual", "filter fp", "avast software", "new service", "creation id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 168, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 28, "FileHash-SHA256": 1065, "URL": 984, "YARA": 535, "domain": 262, "email": 4, "hostname": 316 }, "indicator_count": 3233, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62159a5bce5fa56252e11c82", "name": "Moses Staff\u9ed1\u5ba2\u7ec4\u7ec7\u6301\u7eed\u6570\u6708\u5bf9\u4ee5\u8272\u5217\u591a\u4e2a\u884c\u4e1a\u7ec4\u7ec7\u8fdb\u884c\u653b\u51fb", "description": "\u8fd1\u65e5\uff0cFortiEDR\u53d1\u73b0\u4e86\u4e00\u8d77\u7531 Moses Staff \u9ed1\u5ba2\u7ec4\u7ec7\u53d1\u8d77\u7684\u653b\u51fb\uff0c\u8fd9\u573a\u653b\u51fb\u4e13\u95e8\u9488\u5bf9\u4ee5\u8272\u5217\u7684\u591a\u4e2a\u884c\u4e1a\u7ec4\u7ec7\u3002\u7ecf\u8c03\u67e5\uff0c\u8be5\u7ec4\u7ec7\u5df2\u7ecf\u6d3b\u8dc3\u4e86\u4e00\u5e74\u591a\uff0c\u5728\u672c\u6b21\u653b\u51fb\u4e2d\uff0c\u8be5\u7ec4\u7ec7\u901a\u8fc7\u4f7f\u7528\u7684\u4e00\u4e2a\u65b0\u7684\u540e\u95e8\uff0c\u7528\u4e8e\u4e0b\u8f7d\u6587\u4ef6\u3001\u6267\u884c\u6709\u6548\u8f7d\u8377\u3001\u4ece\u76ee\u6807\u7f51\u7edc\u4e2d\u7a83\u53d6\u6570\u636e\u3002", "modified": "2022-05-12T00:04:24.089000", "created": "2022-02-23T02:22:18.992000", "tags": [ "formbook", "phishing", "staff", "moses staff", "fortiedr", "cybersecurity architect", "threat research", "fortiguard labs", "figure", "loadlibrary", "export", "fortinet", "driveguard", "download", "alliance", "february", "impact", "capture", "virustotal", "april", "HotSpot" ], "references": [ "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "public": 1, "adversary": "Staff", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sd123456", "id": "172789", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "1438 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "622f0681912e362bb24b2888", "name": "E-Commerce Sector Cyber Threat Intel - Key Insights (February 2022)", "description": "In February, a security incident at Hong Kong\u2019s largest online shopping platform (HKTVMall) led to the unauthorized access of customer information. The affected information included delivery addresses, recipient names, and contact numbers of 4.38 million customers.\n\nOther Major Incidents\nFew e-commerce store clients reported an antivirus warning appearing on the checkout page. Moses Staff threat group was linked with multiple espionage and sabotage attacks on Israeli entities. The group had used StrifeWater RAT that masqueraded as the Windows Calculator. A security breach affected the e-commerce website melijoe[.]com, owned by Melijoe. A security bypass vulnerability (CVE-2022-25355) was identified in EC-CUBE that could allow a malicious user to bypass the authentication mechanism and obtain access to the exposed system.", "modified": "2022-04-13T00:01:48.292000", "created": "2022-03-14T09:10:25.831000", "tags": [ "staff urls", "ip address", "sha1", "file name", "E-Commerce Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "domain": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "1467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622b43c2a26db71efff7902f", "name": "Manufacturing Sector Cyber Threat Intel - Key Insights (February 2022)", "description": "In February, the Chinese APT actor Antlion was using a custom backdoor xPack against financial and manufacturing organizations. The malware was used in a campaign against targets in Taiwan. The attack spanned for more than 18 months and allowed the attackers to run stealthy cyber-espionage operations.\n\nOther Major Incidents\nMoses Staff group was tied to multiple waves of espionage/sabotage attacks using StrifeWater RAT. The Conti group had targeted the Hula Hoops, KP Nuts, Butterkist popcorn, and Nik Naks firms. The U.S. CISA warned regarding multiple vulnerabilities in the Airspan Networks Mimosa equipment. Toyota Motor stopped operations after a major supplier was hit by a cyberattack. Bridgestone's La Vergne plant had faced possible cyber attack.", "modified": "2022-04-10T00:02:49.890000", "created": "2022-03-11T12:42:41.999000", "tags": [ "staff urls", "ip address", "sha1", "file name", "xpack backdoor", "sha256", "Manufacturing Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 6, "FileHash-SHA256": 15, "domain": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 194, "modified_text": "1470 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6229baccf180e78b1798e87a", "name": "Energy and Power Sector Cyber Threat Intel - Key Insights (February 2022)", "description": "In February, a politically motivated threat group, dubbed Moses Staff, was tied to multiple waves of espionage and sabotage attacks. The attacks were aimed at Israeli entities including the Energy sector and made use of StrifeWater RAT masquerading as the Windows Calculator app to stay under the radar.\n\nOther Major Incidents\nThe BlackCat ransomware had targeted the Oiltanking GmbH Group. Major oil terminals in Western Europe's biggest ports became victims of cyberattacks. The FBI warned organizations against the malicious activities of Emennet Pasargad. Three new threat groups Kostovite, Petrovite, and Erythrite were found targeting the industrial sector. TiltedTemple camping was found exploiting CVE-2021-40539 and CVE-2021-44077 flaws in cyberattacks aimed at the energy sector. The campaign was using a backdoor named SockDetour.", "modified": "2022-04-09T00:00:32.009000", "created": "2022-03-10T08:46:04.918000", "tags": [ "public key", "staff urls", "ip address", "sha1", "file name", "sockdetour pe", "sockdetour", "embedded", "socketdetour", "Energy and Power Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 11, "domain": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 194, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6229bcb0b46217027464d2fc", "name": "Transportation Sector Cyber Threat Intel - Key Insights (February 2022)", "description": "In February, the logistics and freight forwarding firm Expeditors International was affected by a cyber incident that paralyzed most of its operations around the world. After discovering the attack, the firm did not provide any further details about the attack and declared to have launched an investigation.\n\nOther Major Incidents\nMedusa trojan was spreading via the SMiShing service known as Cabassous and was found masquerading as a DHL shipping firm. An unauthenticated API call flaw was discovered in DPD Group\u2019s package tracking system. Swissport disclosed a ransomware attack on its IT systems. The FBI warned organizations against the malicious activities of Emennet Pasargad. The Moses Staff group was tied to multiple waves of espionage and sabotage attacks using StrifeWater RAT.", "modified": "2022-04-09T00:00:32.009000", "created": "2022-03-10T08:54:08.165000", "tags": [ "vhash", "ssdeep", "staff urls", "ip address", "sha1", "file name", "Transportation Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 1, "hostname": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "techzenspace.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "techzenspace.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776617222.1734006 }